WordPress is a very popular platform, and I have had many WordPress installations over the years (even this site is based on it).
Being that popular has made this platform a target for many hackers. And even though it keeps updating and upgrading, over the years I found myself a victim of hostile takeovers.
In this article, I’ll discuss and demonstrate how to add two-step authentication as an extra level of security to your site or blog.
Protecting the admin panel of WordPress
The thing that helped me the most with hacker takeovers was to protect the admin panel.
After I blocked access to the wp-admin directory and the login page (wp-login.php) from the Internet (besides my specific address) I didn’t have such incidents.
It’s a bummer to wake up in the morning and find out that your site had been hacked and now, instead of your quality content you’re seeing flags running around or other things with political nature.
Of course, for most things, you or your hosting supplier have backups, and even if you didn’t lose any data in the process, it’s still very frustrating to restore.
I’m using the .htaccess file to block access to the admin panel with Rewritecond and Rewriterule.
|
1 2 3 4 |
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$ RewriteRule ^(.*)$ - [R=403,L] |
The code above checks if the requested URI is part of the admin panel, and if it is, makes sure that only IP addresses that are allowed to use it, are listed, in our case it’s 123.123.123.123
You can add as many addresses as you like. Just add more lines like so:
|
1 |
RewriteCond %{REMOTE_ADDR} !^125\.125\.125\.125$ |
This was very helpful for most use cases, but I had an extra requirement, which is to be flexible on the addresses that are allowed to log in.
Sometimes I wanted to log in from a different computer or device, which didn’t have the same IP as my home or office, like when I’m traveling or at a friend’s house.
That’s why I built a two-step authentication process.
Two-step authentication for WordPress (or other platforms)
What I wanted to achieve is to add an extra layer of security to the login process, which will enable me to log in to my blog and still be considered relatively secure.
Due to its open-sourced nature, WordPress (and other platforms) has the same set of security features and flaws across all installations with the same version.
Changing this, even a little bit, might help a lot in preventing attacks, as standard installations are easier to hack.
My implementation
I wanted to keep the admin panel blocked from the Internet, while still be able to connect from addresses that I couldn’t pre-approve.
So I created an extra login page, which is accessible to everyone with the link, and of course, kept it to myself and didn’t link to it from anywhere.
On the new login page, I implemented a basic authentication login (which is fine, as long as it’s on an https page), and programmed it to modify which IP addresses are allowed in the regular WordPress admin panel.
Few notes on this solution:
1. Every time you open a doorway from a secured system, make sure you think about all scenarios and be willing to make the trade-off, security vs. comfort.
In my case, I’m willing to have a small door opened from the “all tight” solution presented in the first section, in favor of the possibility to be able to log in from afar.
2. Editing .htaccess file in real-time via a PHP script is not something you should do without thinking it through.
Make sure that it’s the right solution for you, and you understand the risks that might be involved using this.
Either way, always have a backup .htaccess file and make sure that restoring it can be done quickly and easily (from cPanel for instance).
Having said that, I believe that after considering the risks and leaving a “doorway opened”, this solution is better than the standard WordPress or another platform has to offer.
Now, let’s get to the code
Creating the second login page
Let’s create the new login page with basic authentication (don’t use it unless your site is on HTTPS, otherwise, the passwords are sent as clear text).
Create a file named privatelogin.php and put it on the root of your blog.
|
1 2 3 4 5 |
$user = $_SERVER['PHP_AUTH_USER']; $pass = $_SERVER['PHP_AUTH_PW']; $validated = false ; if ($user == 'myusername' && $pass == 'mypassword') $validated = true ; |
In the code above, we’re getting the user and password from the browser’s default dialog box. We’re also checking if the user entered the right username and password.
Here is the place to check it against a database, a file or everywhere you want your users and credentials to be stored. For the sake of this article, I’m just checking it via code.
|
1 2 3 4 5 |
if (!$validated) { header('WWW-Authenticate: Basic realm="My Blog"'); header('HTTP/1.0 401 Unauthorized'); die ("Not authorized"); } |
This section is the one responsible for sending an unauthorized header in case the user is not validated.
Editing .htaccess file to allow access to the admin panel
First, make sure your .htaccess has a part in it that already blocks access to the admin panel and allows only specific IP address.
|
1 2 3 4 5 6 7 |
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$ #!start auto added! RewriteCond %{REMOTE_ADDR} !^125\.125\.125\.125$ #!end auto added! RewriteRule ^(.*)$ - [R=403,L] |
Notice the 5th line above, this line will be replaced with our current IP address after we’ve successfully logged in to the second login page.
Next, we’ll run through our current .htaccess and look for the line to replace. We’ll recognize it by a pre-defined string, I used !start auto added! string to know that the next line is the one that needs to be replaced.
Once we recognized our line, we’ll simply build a new one, with our current IP address (that will allow us to login to the regular admin panel’s login).
Make sure to escape the dots (.) in the .htaccess file.
The last step is to re-write our .htaccess file and redirect the page to the regular login page.
I added a check to make sure that an empty file (or too small ) is being written.
Add to privatelogin.php this section:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
$line_detect_start = "!start auto added!" ; $htaccessContents = "" ; $file_handle = fopen(".htaccess", "r"); $isAutoAdd = false ; while (!feof($file_handle)) { $line = fgets($file_handle); if ($isAutoAdd) { $isAutoAdd = false ; $ipAddress = str_replace(".", "\.", get_ip_address()); $htaccessContents .= "RewriteCond %{REMOTE_ADDR} !^$ipAddress$ \n"; continue; } if (strpos($line,$line_detect_start)>0){ $isAutoAdd = true ; } $htaccessContents .= "$line" ; } fclose($file_handle); if (strlen($htaccessContents)> 100 ){ $myfile = fopen(".htaccess", "w") or die("Unable to open file!"); fwrite($myfile, $htaccessContents); fclose($myfile); header("Location: https://yourblogaddress.com/wp-admin"); exit(); } echo "Something went wrong... could not direct you to a secure login."; |
Now, every time you log in to privatelogin.php you’ll be asked for a username and password, and once you successfully entered, you’ll be redirected to the login page.
Conclusion
We talked about how to block and protect the admin panel for WordPress, which is considered by many as a weak spot.
I’ve shared my experience that blocking it helped me stop attacks on various sites I built.
We also talked about factoring an additional security for the start login page, and how we can modify it to make it easier for us (and only us) to log in securely to our system.
Whether you follow this implementation or not, I recommend thinking outside the box when securing your assets. It’s easier to hack or attack standard or widely spread systems.
Let me know in the comments below what you think.
Pingback: Quick Tip: {REMOTE_ADDR} behind proxy or Firewall .htaccess | Roei's Tips Stream